So, recently i've been downloading several high-risk and malicious programs/files/etc... At first, wireshark didnt find any ftp connections, meaning I haven't been keylogged then. But when i started wireshark today, i found several ftp connection, meaning i am the victim of keyloggers... Can anybody please help me on how to get rid of these connections? Here are some of the ftp's found by wireshark.. No. Time Source Destination Protocol Length Info 2 30.044721000 169.254.195.50 169.254.255.255 UDP 86 Source port: 57621 Destination port: 57621 Frame 2: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:fc:d0 (08:00:27:00:fc:d0), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: 169.254.195.50 (169.254.195.50), Dst: 169.254.255.255 (169.254.255.255) User Datagram Protocol, Src Port: 57621 (57621), Dst Port: 57621 (57621) Data (44 bytes) 0000 53 70 6f 74 55 64 70 30 2f e9 a9 b8 54 bb fc 08 SpotUdp0/...T... 0010 00 01 00 04 48 95 c2 03 a0 3e a6 fe 72 35 8d 42 ....H....>..r5.B 0020 7f 9f 55 d5 34 09 46 65 07 c7 97 c3 ..U.4.Fe.... No. Time Source Destination Protocol Length Info 189 1772.533866000 169.254.195.50 169.254.255.255 UDP 86 Source port: 57621 Destination port: 57621 Frame 189: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:fc:d0 (08:00:27:00:fc:d0), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: 169.254.195.50 (169.254.195.50), Dst: 169.254.255.255 (169.254.255.255) User Datagram Protocol, Src Port: 57621 (57621), Dst Port: 57621 (57621) Data (44 bytes) 0000 53 70 6f 74 55 64 70 30 2f e9 a9 b8 54 bb fc 08 SpotUdp0/...T... 0010 00 01 00 04 48 95 c2 03 a0 3e a6 fe 72 35 8d 42 ....H....>..r5.B 0020 7f 9f 55 d5 34 09 46 65 07 c7 97 c3 ..U.4.Fe.... Most of them are being transferred to an IP 169.254.255.255 And no, this is not my own IP adress.... Can anybody please help me, I just want to get rid of these connections! Kind regards and thanks in advance, John S. asked 28 Jun '12, 05:47 JohnS |
One Answer:
This does not look like FTP. FTP normally runs over TCP; these packets are UDP. TFTP uses UDP, but there's nothing in these packets that indicates TFTP. 169.254.255.255 is not the IP address of an individual machine. This is the directed broadcast address for the 169.254.0.0/16 network. These are broadcasts. Based on destination port 57621 and the presence of the string "SpotUDP" in the data portion of the packet, this is probably Spotify, which is a streaming music service. How to remove unwanted software is not a Wireshark question, but this should give you enough information to Google for an answer. answered 28 Jun '12, 08:51 Jim Aragon |